One of the largest ISPs in Europe distributed millions of vulnerable devices to their customers without any security checks. Now these devices are up and running all over Europe and can provide Internet access and jump hosts for hackers and criminals.
In this presentation the speaker will show you the whole process of a proper CPE device testing with its pitfalls and joyrides. During this test a handful of 0days were discovered and these will be presented. It will be shown how an attacker with zero-knowledge can log into a private network by getting the factory default WPA passphrases from MAC addresses or even worse, the changed passphrase! The other 0day brings a root shell with plenty of buffer overflows, factory backdoors in the firmware. All vulnerabilities’ root cause will be presented to the audience with good laughs.
[2024]Digital Global Overview Report 2024 Meltwater.pdf
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
1. 0DAY HUNTING
A.K.A.
THE STORY OF A PROPER CPE TEST
Balazs Bucsay - Research Director @ MRG Effitas
OSCE, OSCP, OSWP, GIAC GPEN
@xoreipeip # http://rycon.hu
2. BIO / BALAZS BUCSAY
• Hungarian hacker
@xoreipeip
3.
4. BIO / BALAZS BUCSAY
• Hungarian hacker
• Research Director @ MRG Effitas
• Strictly technical certificates: OSCE, OSCP,
OSWP and GIAC GPEN
• Previously worked as an ethical hacker
• Started with ring0 debuggers and
disassemblers in 2000 (13 years old)
• Major project in 2009: GI John
@xoreipeip
6. PRESENTATIONS
• Talks around the world: • Atlanta (US)
• Moscow (RU)
• London (UK)
• Oslo (NO)
• Vienna (AT)
• Budapest (HU)
• Latest presentation: • Chw00t: Breaking unices’ chroot solutions
• https://github.com/earthquake/chw00t
• Slides: http://bit.ly/1T78dfM
@xoreipeip
7. WORK VS PASSION
• This presentation and findings are not related to my daily work
• Did all this research in my free time
• Don’t like black boxes and closed source
• Although if you are interested in testing your device contact us!
@xoreipeip
8. • None of the vendors care about security
• I was afraid of all the juicy RCE bugs are gone now
• Truth is: nobody cares, old bugs are there and will be there
• Most of the embedded devices are running on old 2.4 kernels
• Worked for the second largest mobile operator doing CPE tests
• Found several RCE, Auth bypasses, XSSs in different devices
CUSTOMER PREMISES EQUIPMENT - CPE
@xoreipeip
9. • Not gonna mention the ISP’s name
• Huge ISP in Europe, it has subsidiaries at least in 8 EU countries
• Distributed to more than 6 million customers around Europe
(based on the ISP’s website)
• Mostly covered by the following devices
TODAY’S DEVICE
@xoreipeip
13. TECHNICOLOR TC7200 - PWNED
Nice walk-through by Peter Geissler (@bl4sty) on Hack in The box
Amsterdam: http://bit.ly/215GwaN @xoreipeip
14. TECHNICOLOR TC7200 - PWNED
• Blasty dumped the memory
• Reverse engineered the ESSID and WPA2-PSK generator
• PSK generator based on ESSID: http://bit.ly/1UnMvTT
(TC7200 only)
Long story short:
@xoreipeip
16. UBEE EVW3226 - PWNED??
• People started to play seriously with the device around January
of 2016
• 0day exploit released (physical access needed) - did not work
for me
• Flash content was dumped and uploaded in the same month
• SEC Consult identified overlapping vulns: http://bit.ly/25KdjFK
• Yolosec released a tool as well: http://bit.ly/29isodH
@xoreipeip
17. THE PLAN
• GOAL 0: get the dump of the filesystem
• GOAL 1: get full access to the device
• GOAL 2: get unauthenticated command/code execution
• GOAL 3: get access to the network
• …
• Profit
@xoreipeip
18. GOAL 1: GET FULL ACCESS TO THE DEVICE
• Blackbox approach did not succeed
• Filesystem dump was released
• Device is using lighttpd with a custom .cgi binary
• Fired up IDA Pro to look for injection points
@xoreipeip
24. EXPLOITATION
• The code can be invoked by starting a certain feature of the device
• Two injection points
• ESSID: max 32 ASCII character - although does not accept
everything
• PSK: max 64 ASCII character - accepts all necessary characters
• Admin must be authenticated and connected to the internal
network
@xoreipeip
26. GOAL 2: FIND UNAUTHENTICATED RCE/BOF
• Although we have full access to the device, we still need an
admin user to exploit it
• Authentication bypass can be a solution
• Unauthenticated RCE or BOF can help too
@xoreipeip
28. VANILLA STACK OVERFLOW
Pros:
• Unauthenticated like I wished for
• Trivial? vanilla stack overflow
Cons:
• Big endian Linux on ARM - no public shell code
• No experience with ARM
• No qemu-system for big endian ARM, only qemu-user
@xoreipeip
29. SHELLCODING
• Compiling big endian toolchain with Buildroot
• Compiling static gdbserver for the device
• Debugging the binary for exploitation
• Writing shellcode based on tutorials and others
• Linux ARM big endian bind shell code merged into Metasploit
https://github.com/rapid7/metasploit-framework/pull/6959
@xoreipeip
30. IN THE GDBSERVER
• No next or nexti, must put breakpoints on every instruction
• Most of the features are gone
• stack is not executable - no features, did not check…
• turns off stack randomisation (not vanilla anymore) - had to
write ROP
• turns off ASLR (infoleak needed)
@xoreipeip
31. EPIC FAIL
• Only 11bit is randomised, 1/2048 chance to hit the address
• Webserver forked the process, new memory address every time
• Watchdog restarts the web server
• Then realised that lighttpd filters most of the characters ->
unexploitable
@xoreipeip
32. AUTHENTICATION BYPASS
• Found by Search-lab
• Makes authenticated RCE to unauthenticated
• http://www.search-lab.hu/advisories/122-ubee-evw3226-
modem-router-multiple-vulnerabilities
@xoreipeip
33. GOAL 3: GET ACCESS TO THE NETWORK
• Fallback options:
• admin:admin account still could work in default cases
• previously generated backup can be downloaded
• We only need access to the internal network to get full access
• Let’s dig the binaries
@xoreipeip
37. WPA2-PSK, SSID, WPS PIN GENERATION ALGORITHM
• Based only on MAC address, nothing else
• Depends on whether it is 5G or 2.4G
• MAC can be sniffed
• WPS-PIN generation is based on the same idea
• Algorithm released 3rd of July by Yolosec
@xoreipeip
39. GETTING INTO THE NETWORK
• What if the user changed the SSID?
@xoreipeip
40. GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase
@xoreipeip
41. GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase
• What if the user changed the PSK?
@xoreipeip
42. GETTING INTO THE NETWORK
• If the user changed the SSID: you can still get the passphrase
• If the user changed the PSK: let’s generate the WPS-PIN
• All of these can be generated from the MAC address
• From nothing to root in 2 minutes (default credentials)
@xoreipeip
46. and if you are too lazy to crack a password…
WHO NEEDS MORE?
@xoreipeip
47. and if you are too lazy to crack a password…
WHO NEEDS MORE?
@xoreipeip
48. FURTHER VULNERABILITIES
• Previously requested backup can be downloaded without
authentication
• Plaintext passwords all over the device (nvram, heap, configs)
• Backdoor users in passwd and shadow files
• Command injections and buffer overflows
@xoreipeip
49. IMPACT
• Few million customer is potentially vulnerable
• Anybody can access their network, get root in a few minutes
• Botnets, jump hosts, tor gateways, etc.
• Newest Snowden leaks: secret services use MiTM on routers
• You cannot be sure that you don’t have a device like this at home
!
!
@xoreipeip
50. Balazs Bucsay - @xoreipeip
Thank you for your attention!
!
Q&A